On Tuesday 30 January 2007 19:11, Matthew Booth wrote: > I have a couple of requirements which on the face of it don't seem > simple to achieve with auditctl. These are: > > * Audit changes to executables > * Audit changes to configuration files > > I'll concentrate on the former as it's more obviously problematic. I > believe this would require putting a watch explicitly on every > executable in the system.
Assuming current generation of audit code... auditctl -a exit,always -F perm=w -F obj_type=sbin_t -k executables auditctl -a exit,always -F perm=w -F obj_type=bin_t -k executables auditctl -a exit,always -F perm=w -F obj_type=lib_t -k executables auditctl -a exit,always -F perm=w -F obj_type=shlib_t -k executables > If this isn't correct, please correct me and this problem goes away. Try the above. "ausearch -k executables" would let you find these events. > This does 2 things. Firstly it enforces that the system won't execute > files which aren't labelled with an executable type. This might not be a bad thing to include even if the audit rules above solve your problem. > However, I'm worried I might be stepping outside design intentions. Is > the above a good idea? I'm hoping the audit system can meet any audit requirements. If not we need to work some more at it. > Is using SELinux for writing auditing rules a good idea in general? If there are shortcomings in the audit system that you can solve another way, I guess you have no choice. But we'd like to know that people cannot use the audit system for its intended purpose. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
